Avoid NaN comparison in CFXA_FillPathWithShading() bounds checks.
Because (0.0f / 0.0f) is neither less than 0.0, nor greater
than 1.0, nor safely in the range between the two.
Bug: chromium:931175
Change-Id: Ib0f9a6cf96ebd9a9f4f6550054ff355d6cff296e
Reviewed-on: https://pdfium-review.googlesource.com/c/50552
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/xfa/fxgraphics/cxfa_graphics.cpp b/xfa/fxgraphics/cxfa_graphics.cpp
index 1980e0d..8e11db4 100644
--- a/xfa/fxgraphics/cxfa_graphics.cpp
+++ b/xfa/fxgraphics/cxfa_graphics.cpp
@@ -293,24 +293,26 @@
float y_span = end_y - start_y;
float axis_len_square = (x_span * x_span) + (y_span * y_span);
for (int32_t row = 0; row < height; row++) {
- uint32_t* dib_buf = (uint32_t*)(bmp->GetBuffer() + row * pitch);
+ uint32_t* dib_buf =
+ reinterpret_cast<uint32_t*>(bmp->GetBuffer() + row * pitch);
for (int32_t column = 0; column < width; column++) {
- float x = (float)(column);
- float y = (float)(row);
- float scale = (((x - start_x) * x_span) + ((y - start_y) * y_span)) /
- axis_len_square;
- if (scale < 0) {
- if (!m_info.fillColor.GetShading()->m_isExtendedBegin) {
- continue;
+ float scale = 0.0f;
+ if (axis_len_square) {
+ float y = static_cast<float>(row);
+ float x = static_cast<float>(column);
+ scale = (((x - start_x) * x_span) + ((y - start_y) * y_span)) /
+ axis_len_square;
+ if (scale < 0.0f) {
+ if (!m_info.fillColor.GetShading()->m_isExtendedBegin)
+ continue;
+ scale = 0.0f;
+ } else if (scale > 1.0f) {
+ if (!m_info.fillColor.GetShading()->m_isExtendedEnd)
+ continue;
+ scale = 1.0f;
}
- scale = 0;
- } else if (scale > 1.0f) {
- if (!m_info.fillColor.GetShading()->m_isExtendedEnd) {
- continue;
- }
- scale = 1.0f;
}
- int32_t index = (int32_t)(scale * (FX_SHADING_Steps - 1));
+ int32_t index = static_cast<int32_t>(scale * (FX_SHADING_Steps - 1));
dib_buf[column] = m_info.fillColor.GetShading()->m_argbArray[index];
}
}
